Why Is Cyber Insurance Asking for MFA?

Why Is Cyber Insurance Asking for MFA?

If your insurer has started asking whether multi-factor authentication is enabled across Microsoft 365, remote access, VPNs and admin accounts, they are not being awkward. They are responding to claims data. When businesses ask, “why is cyber insurance asking for MFA”, the short answer is simple: because compromised passwords are still one of the easiest and cheapest ways for attackers to get in.

For insurers, MFA is no longer a nice extra. It is one of the clearest signs that a business takes preventable risk seriously. For business owners and operations teams, that matters because the difference between having MFA properly in place and having patchy coverage can affect premiums, excesses, exclusions and, in some cases, whether a claim is paid at all.

Why is cyber insurance asking for MFA in the first place?

Cyber insurance has changed quickly over the last few years. Early policies were often broader, and insurers had less detail about how a business actually managed cyber risk. That changed when ransomware, business email compromise and account takeover claims surged.

A common pattern emerged. Attackers did not always need advanced techniques. They often got in through reused passwords, phishing emails, exposed remote desktop services or poorly protected cloud accounts. MFA blocks a large share of those attacks because a stolen password on its own is no longer enough.

From an insurer’s perspective, that makes MFA one of the simplest controls to check and one of the most meaningful. If a business cannot show that basic access controls are in place, the insurer is being asked to underwrite avoidable exposure. That is why proposal forms now ask more detailed questions, not just whether MFA exists somewhere, but where it is applied and how consistently.

MFA is about claims reduction, not box-ticking

It is tempting to see insurance security questions as paperwork. In reality, underwriters are trying to assess whether your business is likely to suffer the sort of incident that leads to a costly claim.

If an attacker gains access to one senior user’s email account, the damage can spread quickly. They may redirect payments, impersonate staff, steal sensitive information or use that mailbox to reset passwords on other services. If they gain access to an administrator account, the consequences are wider still – encrypted systems, disabled backups, new malicious users and significant downtime.

MFA reduces that risk materially. It does not make you immune, and insurers know that. Attackers can still exploit poor device security, social engineering or gaps in configuration. But MFA raises the effort required and stops many lower-effort attacks that would otherwise become expensive claims.

That is why insurers care less about security statements and more about practical controls. They want to see that barriers exist where attacks commonly start.

Which accounts usually need MFA for cyber insurance?

This is where many businesses get caught out. They assume enabling MFA for a handful of users is enough. Often it is not.

Most insurers are especially concerned about privileged accounts, email platforms, cloud services, remote access tools and any system that could expose sensitive data or provide a route into the wider network. In practice, that often includes Microsoft 365, VPN access, remote desktop gateways, firewall administration, backup platforms and line-of-business systems with administrative rights.

The exact wording varies between insurers. Some ask whether MFA is enabled for all users. Others focus on remote access and administrator accounts. Some may accept staged implementation for lower-risk systems, while others will not. The detail matters, because saying “yes” on a proposal form when only part of the estate is covered can create problems later.

Why insurers care so much about Microsoft 365

For many SMEs, Microsoft 365 is the front door of the business. Email, files, Teams, identities and often access to other connected applications sit behind it. If an attacker compromises that environment, they can do far more than read messages.

That is one reason insurers often ask very specific questions about MFA on Microsoft 365. If your staff can sign in with just a password, phishing becomes far more dangerous. If administrators can log in without stronger checks, one successful compromise can affect the whole tenancy.

There is also a practical issue. Microsoft 365 is widely used, and insurers know exactly how often it appears in real incidents. They are not picking on one platform. They are focusing on a common attack path.

MFA alone will not satisfy every insurer

This is the part worth understanding early. MFA is a baseline control, not the whole answer.

An insurer may also ask about endpoint protection, patching, immutable backups, staff awareness training, incident response plans and privileged access management. Some will want to know whether legacy authentication is disabled, whether conditional access is used, and whether backups are protected by separate credentials.

So if you are wondering why is cyber insurance asking for MFA, the broader answer is that they are using it as a marker. Businesses that implement MFA properly are often more likely to have other sensible controls in place as well. It signals maturity, not perfection.

Common problems when businesses say they have MFA

The biggest issue is partial deployment. A business may have enabled MFA for Microsoft 365 users but forgotten shared mailboxes, admin accounts, third-party apps, VPN access or backup systems. On paper, it looks covered. In reality, there are still gaps an attacker can use.

Another common problem is relying on weak methods or poor enrolment. If users bypass MFA through inconsistent policies, or if old protocols remain enabled, the protection may be less effective than expected. The same applies where only some staff use it, or where leavers’ devices and access methods have not been tidied up.

Then there is the human factor. If MFA is introduced without planning, staff may resist it, use insecure workarounds or flood internal teams with support requests. That does not mean MFA is the problem. It usually means the rollout was not handled in a way that suits the business.

How to approach MFA without disrupting the business

The best approach is usually phased and practical. Start with the highest-risk accounts – administrators, directors, finance users, remote access and Microsoft 365. Then extend protection to the wider user base and any connected systems that create a route into core data or services.

At the same time, review how staff actually work. A warehouse team sharing terminals, a field-based sales team and a regulated professional practice may each need slightly different methods. The aim is not to make access painful. It is to make the common attack routes much harder without slowing the business to a crawl.

This is also where having a proactive IT partner helps. A good rollout is not just technical. It includes policy design, user communication, device setup, testing and a sensible fallback process when someone changes phone or loses access.

What insurers want to see in practice

Insurers are generally looking for evidence that MFA is deployed consistently, not just promised. They want honest answers, clear scope and a control set that reflects the way your business operates.

That means checking the wording carefully before renewal or a new application. If the form asks whether MFA is enabled on all remote access, make sure that includes any third-party support tools, VPNs and cloud admin portals. If it asks about privileged accounts, review every admin role, not only your main Microsoft tenant administrator.

For many SMEs, this is where the real value sits. The insurance process forces a clearer view of your current security position. It can expose blind spots before an attacker does.

Why this matters beyond the policy

Even if cyber insurance did not ask for MFA, most businesses should still be using it. The operational cost of a compromised email account, locked systems or a supplier payment fraud attempt is usually far higher than the inconvenience of an extra sign-in step.

There is also a reputational angle. Clients, partners and regulators increasingly expect businesses to put reasonable controls in place. MFA is becoming part of that baseline. It shows that access to business systems is treated with the seriousness it deserves.

For firms across the Midlands and the wider UK, especially those without a large internal IT function, this can feel like one more compliance demand. In practice, it is better seen as a straightforward risk reduction measure with clear commercial value.

Nubis 365 often sees businesses come to this question because of an insurance renewal, then realise the bigger benefit is not just satisfying an underwriter – it is tightening one of the most exposed parts of their environment before it causes downtime, disruption or loss.

If your insurer is asking about MFA, take it as a useful prompt rather than an administrative nuisance. Get clear on which systems matter most, check what is really enabled, and make sure your answer reflects reality. A policy can help after an incident, but the right access controls can stop one from becoming a claim in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
Are you human? Please solve:Captcha